With Third Party Records, Privacy Doesn’t Require Secrecy
Did you just buy a shiny new smartphone loaded with the newest and greatest features to have conversations throughout the day, wherever you are? While your phone’s capabilities are distinctly modern, a new decision in United States v. Davis allowing police to get without a warrant records of which cell tower your phone connects to ensures that a key privacy protection you should have when using your phone is stuck in 1979.
Davis: The Facts and Ruling
In Davis, police wanted to get cell site information—the record of which cell phone tower your phone connects to—about Quartavious Davis to connect him to seven separate robberies in and around Miami, Florida. Instead of getting a search warrant, police relied on the Stored Communication Act (SCA), a federal statute that allows police to use a very simple court order to get certain customer records from cell phone service providers. They only need to show that the records are material and relevant to an ongoing criminal investigation. This standard is weaker than the probable cause standard required for police to obtain a search warrant.
Although law enforcement claimed it only wanted the location information to pin Davis to the seven robberies, armed with the SCA order, police obtained more than two months worth of location information on Davis, which gave them a whopping 11,000 cell phone tower data points. Prosecutors used that information to convince a jury that Davis was in the vicinity of each of the robberies, and he was ultimately given a 161-year prison sentence.
On appeal, a three-judge panel of the United States Court of Appeals for the Eleventh Circuit found the government violated Davis’ Fourth Amendment rights against unreasonable search and seizure by obtaining the cell site location records without a warrant, though it didn’t reverse his conviction. Despite winning the appeal, the government nonetheless convinced the entire Eleventh Circuit to rehear the case before an eleven-judge en banc panel. We weighed in, filing an amicus brief explaining why it’s reasonable for people to expect this sensitive location information to remain private. Unfortunately, in a 9-2 ruling the court disagreed, finding people have no expectation of privacy in cell site location records because the court believed the information was voluntarily given to and belonged to the cell phone service providers, not the individual users. The court relied on the Supreme Court’s 1979 decision in Smith v. Maryland, which held that the so-called “third party doctrine” meant there was no expectation of privacy in information turned over to a telephone company.
The Eleventh Circuit’s analysis is remarkably deaf to the realities of modern life. At a time when 90% of Americans carry cell phones—the majority of which are Internet enabled smartphones—the court basically told the public the way to protect themselves from warrantless surveillance was not through the Fourth Amendment, but by turning their phones off.
Confusing Privacy and Secrecy Expectations
One of the biggest problems in Davis is its straitjacket application of Smith to support the notion that there’s no expectation of privacy for information turned over to third parties, regardless of how sensitive this information can be, especially when aggregated. Smith, the most important “third party doctrine” case, involved primitive 1970s technology: a pen register that recorded the phone numbers a person dialed from a stationary phone. Cell site location records, in contrast, can track your phone’s every move. Because we carry our phones with us as we travel throughout the day—one study found 12% of people even use their phones in the shower—and because our phones generate cell site location information constantly, this information is far richer and intricate than anything that existed in the 1970s. Yet despite this, too many courts, including the Eleventh Circuit here, simply ignore the stark differences between these technologies and ignore the far greater impact that revealing this information has on people’s private lives.
In addition, the underlying justification for the “third party doctrine”—that people assume the risk that information they give to others would be freely shared—is simply not true now. It wasn’t even true in the 1970s, as Justice Marshall (joined by Justice Brennan) recognized even back then the necessity of having a landline phone in his dissenting opinion in Smith:
By contrast here, unless a person is prepared to forgo use of what for many has become a personal or professional necessity, he cannot help but accept the risk of surveillance...It is idle to speak of “assuming” risks in contexts where, as a practical mater, individuals have no realistic alternative.
While Justice Marshall didn’t sway a majority of the Supreme Court, his insight is even more prescient today. The fact that today a cell phone is not a luxury but a necessity means it’s unreasonable to condition participation in modern society with the surrender of privacy rights.
Ultimately, the Eleventh Circuit fell into the familiar trap of confusing privacy—the right to control who accesses your information and to limit how that information can be used—with secrecy, the ability to block everybody else from ever learning the information in the first place. But this distinction is critical in the 21st century, where an increasing amount of information about our daily lives ends up with third party service providers and in the cloud. As Supreme Court Justice Sonia Sotomayor noted in her 2012 concurring opinion in United States v. Jones, an approach that excludes Fourth Amendment protection to digital data stored with others is “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” More fundamentally, she noted that it was time to stop treating “secrecy as a prerequisite for privacy.”
Here, that should mean Davis was reasonable to expect that his location information—revealed only to the phone company to route his calls—would remain private even if he had to roughly reveal it (make it not secret) to actually use his phone.
Do Floridians Have a Right of Privacy in Their Cell Site Locations or Not?
Even more frustrating, prior court decisions have promised Florida residents that their phone records generally and cell site location records specifically are private even when they aren’t completely secret. At least until Davis.
Eleventh Circuit decisions govern state and federal law enforcement in Florida (as well as Alabama and Georgia). Although the court believed people in Florida have no expectation of privacy in cell phone location information, the Florida Supreme Court reached the opposite conclusion last year in Tracey v. State, ruling people—in Florida at least—had an expectation of privacy under the Fourth Amendment in cell phone location information even though the records belonged to the cell phone company. While the Davis court distinguished its holding from Tracey by noting the Florida Supreme Court was looking at real time rather than historical cell phone tracking, that’s ultimately a factual distinction without a legal difference.
The result is conflicting expectations, making it hard to understand why a Florida resident has now been told it’s unreasonable to rely on the privacy protections they’ve previously been promised.
Supreme Court Guidance
Sadly, Davis isn’t the first federal appeals court to reach this result, as the Fifth Circuit ruled in 2013 law enforcement doesn’t need a warrant to access this sensitive cell site location information. Meanwhile, the issue is pending in both the Fourth and Sixth Circuits, where we’ve filed amicus briefs with a number of our organizational friends explaining why a warrant should be required. We hope these courts look at the technology head-on rather than rely on antiquated analogies to cases decided in the days of analog.
Ultimately, we expect the U.S. Supreme Court will have to address this issue, but at least on that front, they are not stuck in the past. Last summer, the Supreme Court in Riley v. California provided a blueprint on how to confront technology when it ruled police could not search the data on a cell phone of a person arrested without a warrant. That case also involved the government’s attempt to rely to an earlier case, United States v. Robinson, which allowed police to search a pack of cigarettes found on an arrestee without a warrant. The government argued a cell phone and a pack of cigarettes were the same thing—an item capable of holding another item—and thus could be searched without a warrant. But the Supreme Court unanimously rejected that faulty analysis, explaining
That is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together. Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.
The Eleventh Circuit dismissed what happened in Riley as “not helpful,” but it missed the larger point. In failing to draw the distinction that the Supreme Court found obvious in Riley, the Eleventh Circuit issued a decision that will have ripple effects concerning many other forms of sensitive personal information stored online and held by third-party service providers. We hope the other circuit courts considering cell-tracking technology follow the Supreme Court of 2014 rather than the one of 1979.
Recent DeepLinks Posts
Jan 23, 2017
Jan 23, 2017
Jan 19, 2017
Jan 19, 2017
Jan 19, 2017
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games